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Abstract. We develop a conceptually clear, intuitive, and feasible de- 
cision procedure for testing satisfiability in the full multiagent epistemic 
logic CMAEL(CD) with operators for common and distributed knowl- 
edge for all coalitions of agents mentioned in the language. To that end, 
we introduce Hintikka structures for CMAEL(CD) and prove that sat- 
isfiability in such structures is equivalent to satisfiability in standard 
models. Using that result, we design an incremental tableau-building 
procedure that eventually constructs a satisfying Hintikka structure for 
every satisfiable input set of formulae of CMAEL(CD) and closes for 
every unsatisfiable input set of formulae. 

Keywords: multi-agent epistemic logic, satisfiability, tableau, decision proce- 
dure 

1 Introduction 

Over the last three decades, multiagent epistemic logics [S], [57] have been play- 
ing an increasingly important role in computer science and AI. The earliest 
prominent applications have been to specification, design, and verification of 
distributed protocols [23] and [H] ; a number of other applications are described 
in, among others, [9], [10] . and |27j . The most recent, and perhaps more impor- 
tant ones are to specification, design, and verification of multiagent systems — a 
research area that has emerged on the borderline between distributed computing, 
AI, and game theory [36], [45], [47] . 

1.1 Multiagent epistemic logics and decision methods for them 

Languages of multiagent epistemic logics considered in the literature contain var- 
ious repertoires of epistemic operators. We refer to the basic multiagent epistemic 
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logic, containing only operators of individual knowledge for a finite non-empty 
set £ of agents, as MAEL (Multi Agent Epistemic Logic). Since all epistemic 
operators of this logic are S5-type modalities, it is also referred to in the litera- 
ture as S5„, where n is the number of agents in the language. The logic obtained 
from MAEL by adding the operator of common knowledge among all agents in 
£ is then called MAEL(C). This logic, along with MAEL, was studied in [25] . 
Analogously, if MAEL is augmented with the operator of distributed knowledge 
for all agents, then the resulting logic will be called MAEL(D). It was studied 
in [TDJ and [35] ■ MAEL augmented with operators of both common and dis- 
tributed knowledge for the set of all agents, hereafter called MAEL(CD), was 
studied in [39] , and a tableau-based decision procedure for it was first presented 
in [14]. Thus, all logics mentioned so far either do not have both operators of 
common and distributed knowledge, or only have those operators for the whole 
set of agents in the language. 

At the same time, there has recently been an increasing interest in the study 
of coalitional multiagent logics (see [3D], [3T], [32], [2J, [ID], [I3J), i.e. logics whose 
languages refer to any groups (coalitions) of agents. These are important, inter 
alia, in multiagent systems, where agents may "cooperate" (i.e., form a coalition) 
in order to achieve a certain goal. Most of the so far studied logical formalisms 
referring to coalitions of agents have only been concerned with formalizing rea- 
soning about strategic abilities of coalitions. (A notable exception is [40] . where 
the Alternating-time Temporal Epistemic Logic ATEL was introduced, whose 
language contains both common knowledge and strategic operators for coali- 
tions of agents.) Clearly, real cooperation can only be achieved by communica- 
tion, i.e., exchange of knowledge. Thus, it is particularly natural and important 
to consider multiagent epistemic logics with operators for both common and 
distributed knowledge among any (non-empty) coalitions of agents. This is the 
logic under consideration in the present paper, hereby called CMAEL(CD) 
(for Coalitional Multi- Agent Epistemic Logic with operators of Common and 
Distributed knowledge). It subsumes all multiagent epistemic logics mentioned 
above, except ATEL. 

In order to be practically useful for such tasks as specification and design of 
distributed or multiagent systems, the respective logic need to be equipped with 
algorithms solving (constructively) its satisfiability problem, i.e. testing whether 
a given input formula (p of that logic is satisfiable and, if so, providing enough 
information for the construction of a model for (p. Decidability of modal log- 
ics, including epistemic logics, is usually proved by establishing a 'small model 
property', which provides a brute force decision procedure consisting of exhaus- 
tive search for a model amongst all those whose size is within the theoretically 
prescribed bounds. The two most common practically feasible general methods 
for satisfiability checking of modal logics are based on automata [U] and on 
tableaux (see e.g., [33], [3J, Q3], 05], [SJ, [H], [H]). 

There are various styles of tableau-based decision procedures; see [TT], [TDJ 
and [T2] for detailed exposition and surveys. An easy to describe but some- 
what less efficient and practically unfeasible approach, that we will call maximal 
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tableau (also called top-down in [8]), consists in trying to build in one step a 
'canonical' finite model for any given formula out of all maximal consistent sub- 
sets of the closure of that formula. This method always works in (at least) expo- 
nential time and usually produces a wastefully large model, if any exists. A more 
flexible and more practically applicable version, adopted in the present paper, 
is a so called incremental (aka, 'bottom-up') tableau building procedure. While 
in all known cases, the worst-case time complexity for maximal and incremental 
tableaux are the same, the crucial difference is that maximal tableaux always 
require the amount of resources predicted by the theoretical worst-case time 
estimate, while incremental tableaux work on average much more efficientljF] 



1.2 Related work and comparison 

The present work is part of a series of papers ( [H] , [H] , [IB] , [H] ) where we have 
embarked on the project of developing practically efficient yet intuitive and con- 
ceptually clear incremental-tableau-based satisfiability checking procedures for 
a range of multiagent logics. This paper builds on the conference papers |T3j and 
[18] by substantially extending, revising, and improving them. 

There are three inherent complications affecting the construction of a tableau 
procedure for the logic CMAEL(CD), arising respectively from the common 
knowledge (fixpoint-definable operator) , the distributed knowledge (with associ- 
ated epistemic relation being the intersection of the individual knowledge epis- 
tcmic relations) , and the interactions between the knowledge operators over dif- 
ferent coalitions of agents. 

Several tableau-based methods for satisfiability-checking for modal logics 
with fixpoint-definable operators have been developed and published over the 
past 30 years, all going back to the tableau-based decision methods developed 
for the Propositional Dynamic Logic PDL in [34] , for the branching-time tem- 
poral logics UB in [3j and CTL in .8, Section 5] and [7] . In terms of handling 
eventualities arising from the fixed-point operators our tableau method follows 
more closely on the incremental tableaux for the linear time temporal logic LTL 
in [46] and for CTL in [8, Section 7]. 

A particular complication arising in the tableau for CMAEL(CD) stems 
from the fact that the epistemic operators, being S5 modalities, are symmetric, 
and thus the epistemic boxes have global effect on the model, too. This requires 
a special mechanism for propagating their effect backwards when occurring in 
states of the tableau. In the present paper we have chosen to implement such 
mechanism by using analytic cut rules, going back to Smullyan |37j and Fitting 
[11], see also [19] and [28]. More recently, tableaux with analytic cut rules for 
modal logics with symmetric relations have been developed in [21], [2D], [5]. 

4 This claim can not be made mathematically precise due to the lack of an a priori 
probability distribution on formulae of a logic. The interested reader may consult [T7] 
for comparison of efficiency of the two types of tableaux in the context of Alternating- 
time temporal logic ATL. 



3 



We note that there is a natural tradeoff between conceptual clarity and sim- 
plicity of (tableau-based) decision procedures on the one hand, and their tech- 
nical sophistication and optimality on the other hand. We emphasize that the 
main objective of developing the tableau procedure presented here is the con- 
ceptual clarity, intuitiveness, and ease of implementation, rather than practical 
optimality. While being optimal in terms of worst-case time complexity and in- 
corporating some new and non-trivial optimizing features (such as restricted 
applications of cut rules) this procedure is amenable to various improvements 
and further optimizations. Most important known such optimizations are on- 
the-fly techniques for elimination of bad states and one-pass tableau methods 
developed for some related logics in [35], pQ and cut-free versions of tableau as 
in pQ for MAEL(C), [22] for PDL with converse operators, [29] for the de- 
scription logic SHI and of sequent calculi, in [55] for MAEL(C) and in [3] for 
LTL and CTL. We discuss briefly the possible modifications of our procedure, 
implementing such optimizing techniques in Section [6] 

Here is a summary (in a roughly chronological order) of the more closely 
related previous work, besides our own, on tableau-based decision procedures 
for multiagent epistemic logics with common and/or distributed knowledge: 



— the maximal tableaux for MAEL(C), presented in [25]; 

— the semantic construction used in |101 Appendix Al] to prove completeness 
of an axiomatic system for MAEL(D); 

— the proof of decidability of MAEL(CD) based on finite model property via 
filtration in |39j : 

— the maximal tableau-like decision procedure for ATL, presented in [44j and 
extended to ATEL in 143]; 

— the exponential-time tableau-based procedure developed in [6] for testing sat- 
isfiability in the BDI logic, that has some common features with CMAEL(C); 

— the optimized cut-free single-pass tableaux for the multi-agent logic of com- 
mon knowledge MAEL(C), in [T]. on tableaux for multiagent logics using 
global caching and analytic cuts in [5]. 



1.3 Structure of the paper 



In Section 2 we introduce the syntax and semantics of the logic CMAEL(CD). 
In Section 3 wc introduce Hintikka structures for CMAEL(CD) and show that 
Hintikka structures are equivalent to Kripkc models with respect to satisfiability 
of formulae. Then, in Section [4] we develop the tableau procedures checking for 
satisfiability of formulae of CMAEL(CD). In Section[5j we prove the correct- 
ness of our procedure in Section[6]we estimate its complexity, discuss it efficiency 
and indicate some possible technical improvements. We end with concluding re- 
marks pointing out some directions for further development. 
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2 Syntax and semantics 



2.1 Syntax of CMAEL(CD) 

The language of CMAEL(CD) contains a fixed, at most countable, set AP 
of atomic propositions, typically denoted by p,q,r, . . .; a finite, non-empty set 
E of (names for) agent^J typically denoted by a, b,..., while sets of agents, 
called coalitions, will be usually denoted by A,B,...; a sufficient repertoire of 
the Boolean connectives, say -i ("not") and A ("and"); and, for every non-empty 
coalition A, the epistemic operators ("it is distributed knowledge among A 
that . . . ") and ("it is common knowledge among A that ..."). The formulae 
of CMAEL(CD) are thus defined by the following BNF expression: 

ip := p | ->ip | (cpi A p 2 ) | T) A p | C A p, 

where p ranges over AP and A ranges over the set V + (£) of non-empty subsets of 
S. The other Boolean connectives can be defined as usual. We denote formulae 
of CMAEL(CD) by (p, ip,x> ••• an d omit parentheses in formulae whenever it 
does not result in ambiguity. 

The distributed knowledge operator T) A tp intuitively means that an "A- 
superagent" , who knows everything that any of the agents in A knows, can 
obtain ip as a logical consequence of their knowledge. For example, if agent a 
knows that ip and agent b knows that ip — ► \i then D{ a b y\ is true even though 
neither a nor b knows \- The operators of individual knowledge K a (^ ("the agent 
a knows that ip v ), for a € S, can be defined as D{ Q }(/?, henceforth simply written 
& a p. Then, we define K A ip := /\ aeA T> a ip. 

The common knowledge operator C A ip intuitively means that ip is "public 
knowledge" among A, i.e., that every agent in A knows that tp and knows that 
every agent in A knows that ip, etc. Formulae of the form ~^C A ip are referred to 
as (epistemic) eventualities, for the reasons given later on. 

2.2 Coalitional multiagent epistemic models 

Formulae of CMAEL(CD) are interpreted in coalitional multiagent epistemic 
models. In order to define those, we first need to introduce coalitional multiagent 
epistemic structures and frames. 

Definition 1. A coalitional multiagent epistemic structure (CMAES) is a tuple 
© = (£, S,{Tl A } AeV +( S ),{7l A } Ae -p+( S )) 

where 

5 The notion of agent used in the present paper is an abstract one; in the context 
of distributed systems, for example, agents can be thought of as processes making 
up the system; in the context of multiagent systems, they can be thought of as 
independent software components of the system. 
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1. S is a finite, non-empty set of agent^J - 

2. S 7^ is a set of states; 

3. for every A G V + {£), TZ A is a binary relation on S; 

4- for every A G TZ A is the reflexive, transitive closure of [J bcaTZ-b- 

Definition 2. A coalitional multiagent epistemic frame ( CMAEF) is a CMAES 

3" = S, {K a }a^v+{s)i \!^a\a&v+{s))i 
where each TZ A is an equivalence relation satisfying the following condition: 

(t) K° A = aeAK 

(Here, and further, we write 7Z® instead ofTZP-,, where a G £.) 
If condition (\ ) above is replaced by the following, weaker one: 

(tt) K% £ Kb whenever B C A, 
then $ is a coalitional multiagent epistemic pseudo-frame (pseudo-CMAEF) . 

Note that in every (pseudo-) CMAEF K?C f| aeA K%, and hence (J bcaK 1 ^ = 
|J ag^Kf . Hence, condition 4 of Definition nl in (pseudo-) CMAEFs is equivalent 
to requiring that 7Z A is the transitive closure of (J aeA 7Z^ > ', for every A G V + (S). 
Also, note that each 1Z A in a (pseudo-) CMAEF is an equivalence relation. 

Definition 3. A coalitional multiagent epistemic model (CMAEM) is a tuple 
M. = (J, AP, L), where $ is a CMAEF with a set of states S , AP is a set of atomic 
propositions, and L : S i— > V(AP) is a labeling function, assigning to every state 
s the set L(s) of atomic propositions true at s. 

If $ is a pseudo-CMAEF, then A4 — ($,AP,L) is a multiagent coalitional 
pseudo-model (pseudo-CMAEM). 

The notion of truth, or satisfaction, of a CMAEL(CD)-formula at a state 
of a (pseudo-)CMAEM is defined in the standard Kripke semantics style. In 
particular: 

- M, s lb T> A ip iff (s, t) G K% implies M, t lb tp; 

- M, s lh C A tp iff (s,t) G K G A implies M,t lh tp. 

Definition 4. Given a (pseudo-) CMAEM M, a CMAEL(CD)-formula tp is 
satisfiable in M. if M., s lh tp holds for some s G M; tp is valid in M. if A4, s lh tp 
holds for every s G M. 

A formula tp is satisfiable if it is satisfiable in some CMAEM; it is valid, 
denoted lh tp, if it is valid in every CMAEM. 

6 Notice that we use the same symbol, "X"' , both for the set of names of agents in 
the language and for the set of agents in CMAES's. It will always be clear from the 
context which set we refer to. 
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The satisfaction condition for the operator Ca can be re-stated in terms of 
reachability. Let M. be a (pseudo-)CMAEM with state space S and let s,t € S. 
We say that t is A-reachable from s if either s = t or, for some n > 1, there 
exists a sequence s = Sq, s±, . . . , s„_i, Sn = i of elements of S 1 such that, for every 
< i < n, there exists a% <E A such that (s,, Sj+i) 6 7?.f . It is then easy to see 
that the satisfaction condition for is equivalent to the following one: 

— A4, s lh Ca<P iff M,t lh ^ for every t that is A-reachable from s. 

The following claim be easily verified. 

Proposition 1. lh C A <p (<£ A AaeA DqCa^)- 

Remark If = {a}, then D a y> o C a <^ is valid for all Thus, the single- 
agent case is essentially trivialized and, therefore, we assume throughout the 
remainder of the paper that the set £ of names of agents in the language of 
CMAEL(CD) contains at least 2 agents. 



3 Hintikka structures for CMAEL(CD) 

We are ultimately interested in (constructive) satisfiability of (finite sets of) 
formulae in models. However, the tableau procedure we present in this paper 
checks for the existence of a more general kind of semantic structure for the 
input formula, namely a Hintikka structure. In Section |3.1[ we introduce Hin- 



tikka structures for CMAEL(CD). In Section 3.2 we show that satisfiability in 
Hintikka structures is equivalent to satisfiability in models; consequently, testing 
for satisfiability in a Hintikka structure can replace testing for satisfiability in a 
model. 



3.1 Fully expanded sets and Hintikka structures 

There are two fundamental differences between (pseudo-)models and Hintikka 
structures for CMAEL(CD), which make working with the latter substantially 
easier than working directly with models. First, while models specify the truth 
value of every formula of the language at each state, Hintikka structures only do 
so for the formulae relevant to the evaluation of a fixed formula 9 (or, a finite 
set of formulae 6) at a distinguished state. Second, the relations in (pseudo-) 
models have to satisfy certain conditions (see Definition [2| , while in Hintikka 
structures conditions are only placed on the labels of states. These labeling 
conditions ensure, however, that every Hintikka structure generates, through 



the constructions described in Section 3.2 a pseudo-model so that membership 



of formulae in the labels is compliant with the truth in the resultant pseudo- 
model. We then show how to convert a pseudo-model into a bona fide model in 
a "truth-preserving" way. 

To describe Hintikka structures, we need the concept of fully expanded set. 
Such sets contain all the formulae that have to be satisfied locally at the state un- 
der consideration. We divide all the formulae that are not elementary in the sense 
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that their satisfaction at the state does not imply satisfaction of any other formu- 
lae at the same state (such as p € AP or ^D^yi) into a-formulas and /3-formulas. 
The former are formulae of a conjunctive type, i.e. their truth implies the truth 
of all their a-components at the same state, while the latter are of a disjunctive 
type: their truth implies the truth of at least one of their /3-components at the 



same state. Table 3.1 shows the a- and /3-formulas of CMAEL(CD) together 



with their a- and /3-components. The following claims are straightforward, the 
cases of common knowledge using Proposition [T] 



a-formula 


a-components 


,5-formula 


/3-components 




M 


->(tpAip) 


{-><p,->V} 


ip A ip 






{-.¥?} U {^T> a C A >p \ a G A} 


Da<P 








C A <p 


Mu{D a C^ j a€ A} 







Table 1. a- and /3-formulas of CMAEL(CD) with their respective components 



Lemma 1. 1. Every a-formula is equivalent to the conjunction of its a-components. 
2. Every fJ-formula is equivalent to the disjunction of its /3 -components. 

Definition 5. The closure of the formula ip is the smallest set of formulae c\((p) 
such that: 

1. ip e c\{ip); 

2. c\{ip) is closed with respect to a- and /3-components of all a- and f3-formulae, 
respectively; 

3. for any formula ip and coalition A, if-iD^ip S c\(ip) then -tip G c\(ip). 

Definition 6. For any set of formulae A we define c\(A) := [J{c\(ip) \ p € A}. 
A set of formulae A is closed if A = c\(A) . 

Remark 1. Intuitively, the closure of a set of formulae r consists of all formulae 
that may appear in the tableau whose input is the set of formulae r. 

Definition 7. A set of formulae is patently inconsistent if it contains a con- 
tradictory pair of formulae ip and ->ip. 

Definition 8. A set A of CMAEL(CD)-formulae is fully expanded if it sat- 
isfies the following conditions: 

— A is not patently inconsistent; 

— if ip is an a-formula and p G A, then all a-components of ip are in A. 

— if ip is a ti-formula and ip € A, then at least one j3-component of tp is in A. 
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Intuitively, a non-patently inconsistent set is fully expanded if it is closed un- 
der applications of all local (pertaining to the same state of a structure) formula 
decomposition rules. 

Definition 9. The procedure FullExpansion applies to a set of formulae T 
and produces a (possibly empty) family of sets F£(r), called the family of full 
expansions of F, obtained as follows: start with the singleton family {T}; if T 
is patently inconsistent, halt and return J r £(_T) = 0; otherwise repeatedly apply, 
until saturation, the following set replacement operations, each time to a non- 
deterministically chosen set <S> from the current family of sets J- and a formula 
tp G though, we prioritize the eventualities in T so that these formulae are 
processed first: 

1. If (p is an a-formula with a-components tpi and tp 2 , then replace <P by <S> U 

{<P1,<P2}- 

2. If ip is a pi-formula such that none of its pi-components is in <P, then replace 
<P with the family of extensions 

U {ip} \ is a pi-component of tp} 

3. If tp = -^Ca^P an d "'ip ^ @) but some of the other pi-components of tp is in 

then add to T the set $ U {~<ip} 

The following proviso applies to the procedure above: if a patently inconsistent 
set is added to J 7 as a result of such application, it is removed immediately 
thereafter. 

Saturation occurs when no application of a set replacement operation can 
change the current family T . At that stage, the family TE(T) of sets of formulae 
is produced and returned. Reaching a stage of saturation is guaranteed to occur 
because all sets of formulae produced during the procedure FullExpansion are 
subsets of the finite set c\(T). 

Notice that the procedure FullExpansion allows adding not more than one 
/3-component of a formula tp = ^CaV 7 to the initial set, besides ^ip. 
In what follows, we will need the following proposition. 

Proposition 2. For any finite set of formulae _T: 

ih A r ^y{A A \ Ae:F£ ^}- 

Proof. By Lemma [T] every set replacement operation applied to a family T 
preserves the formula \J{j\A \ A £ T£{r)} up to logical equivalence. At the 
beginning, that formula is /\ T, hence the claim follows. 

We now define Hintikka structures for CMAEL(CD): 

Definition 10. A coalitional multiagent epistemic Hintikka structure ( CMAEHS) 
is a tuple 

(S, S, {'R-a}aeV+{£),{'R'a}a£V+(e),- a P,H) 

such that: 
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— (£, S, {T^a}abV+{S)^ {T^L} Aev+ {£)) * s a CMAES (recall Definition^; 

— AP is a set of atomic propositions; 

— H is a labeling of the elements of S with sets of CMAEL(CD)-formulae 
that satisfy the following constraints, for every s,s' € S.- 
CHI H(s) is fully expanded; 

CH2 If-D A Lp G H(s), then (s,t) € TZ% and -«p G H(t), for some t G S; 
CHS If(s,s') G K%, then T> B tp G H(s) iffD B <p G H(/), for every B C A; 
CH4 If^C A ip G H(s), then (s,t) G H° A and -xp G H(t), for some t G S. 

Definition 11. Let U be a CMAEHS with state space S. A CMAEL ( CD )- 

formula 9 is satisfiable in H if 6 £ H(s), for some s G S. Likewise, a set of 
CMAEL (CD)-formulae O is satisfiable inH if O C H(s), for some s G S. 

3.2 Equivalence of Hintikka structures and models for CMAEL(CD) 

Here we show that satisfiability in Hintikka structures is equivalent to satisfia- 
bility in models. For brevity, we only deal with single formulae; the extension to 
finite sets of formulae is straightforward. The main complications in the proofs 
below arise due to the presence of distributed knowledge operators in the lan- 
guage of a logic. 

Here we will prove that a CMAEL (CD)-formula 9 is satisfiable in a CMAEM 
iff it is satisfiable in a CMAEHS. First, we show that satisfiability in a CMAEM 
implies satisfiability in a CMAEHS. Then, we show that satisfiability in a CMAEHS 
implies satisfiability in a pseudo-CMAEM, which in turn implies satisfiability in 
a CMAEM. 

That satisfiability in a CMAEM implies satisfiability in a CMAEHS is almost 
immediate. Given a CMAEM A4 with a set of states S, define the extended 
labeling function from S to the power-set of CMAEL(CD)-formulae as 
follows: Lt i (s) — { ip | M, s lh ip }. It is then routine to check the following. 

Lemma 2. Let M = (S, S, {TZ^} AeV+(E) , {n^} AeV+iE) , AP, L) be a CMAEM 
satisfying 9 and let Lj^ be the extended labeling on M . Then, (U, S, {TZ A } A£ -p+^) > 
{Ti A } A ev+(s)i AP, Lj^) is a CMAEHS satisfying 9. Therefore, satisfiability in a 
CMAEM implies satisfiability in a CMAEHS. 

For the converse direction we need two steps, done in Lemma[3]and Lemma[4j 

Lemma 3. Let 9 be a CMAEL (CD)- formula satisfiable in a CMAEHS. Then, 
9 is satisfiable in a pseudo-CMAEM. 

Proof. Let H = (S, S, {TZ^} AeV+{s) , {TZ^} AeV+{s) , kP, H) be an CMAEHS for 
9. We construct a pseudo-CMAEM M 1 satisfying 9 out of H as follows. 

First, for every A G T J+ (S), let TZ'JC be the reflexive, symmetric, and tran- 
sitive closure of 1J A cbT^-b ana - let T^ A De the transitive closure of 1J a eA^'a ' ■ 
Thus, both 1Z' A and 1Z' A are equivalence relations and 1Z A C TZ' A and 1Z A C 
ll'fi, for every A G V + (S). Second, let L(s) = H(s) n AP, for every s G S. 
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It is then immediate to check that B C A implies IZ'J^ C TZ'g , and hence, 
M' = (S,S,{nf} A&rns) ,{n^} A&v+{s) ,L) is a pseudo-CMAEM. 

Basically this construction relabels the edges of a Hintikka structure such 
that if a directed edge is labelled with a coalition A, it is made bidirectional and 
is further labelled with all coalitions that are subsets of A. Hereafter the relation 
is then made transitive and reflexive. The labels of the states are reduced to only 
containing (positive) atoms. Figure [I] illustrates the process of transforming the 
Hintikka structure on the left into the pseudo-model on the right. 



{a, b} 

{-.D a -.p, Di,g, q} >■ {D b q, q, -^C {atb} r, ^r} 

u 

{a,b} 



{a},{b} 



{^p,p,U b q,q} 



{a,b} 



{a}, {6} 




{p-q} 

u 

{a,b},{a},{6} 



Fig. 1. Example on transforming a Hintikka structure to a pseudo-model using the 
construction from the proof of Lemma [3] 



To complete the proof of the lemma, we show, by induction on the structure 
of the formulae in c\(6) that, for every s € S and every formula x, the following 
hold: 

(i) x G H (s) implies M! ,s lh x; 

(ii) ^x G -ff( s ) implies Al', s II — 'X- 

The statement of the lemma then follows. 

Let x be some p e AP. Then, p 6 -ff (s) implies p e L(s) and, thus, A4', s lh p; 
if, on the other hand, ~^p € H(s), then due to (CHI) p £ H(s) and thus p £ L(s); 
hence, At', s II — <p. 

Assume that the claim holds for all subformulae of x; then, we have to prove 
that it holds for x, as well. 

Suppose that x is ^9?- If £ H(s), then the inductive hypothesis immedi- 
ately gives us Af',s II >ip; if, on the other hand, ^^ip € H(s), then by virtue 



of (CHI) ip g H(s) and hence, by inductive hypothesis, M! , s lh 93 and thus 
Af , s lh "-up. 



The case of x — <P A "0 is straightforward, using (CHI) 



Suppose that x is ^Af- Assume, first, that D^</? e -ff(s). In view of the 
inductive hypothesis, it suffices to show that (s, t) £ IZ'J^ implies tp £ H(t). So, 
assume that (s,t) € TV®- There are two cases to consider. If s = t, then the 
conclusion immediately follows from (CHI) If, on the other hand, s 7^ t, then 



there exists an undirected path between s and t along the relations of the form 
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Tig, where each B is a superset of A. Then, in view of (CH3) T>a<P G H(t); 



hence, by (CHI) tp G H(t), as desired. 
Assume, next, that —Ga^P G H(s). 



In view of the inductive hypothesis, it 



suffices to show that there exists ieS such that (s, t) G and -><p G By 



-V G #(*). As ft 



15 C ft' D 



(CH2)| there exists t G 5 such that (s, t) G 71® and 
the desired conclusion follows. 

Suppose now that \ is Ca</?- Assume that CaV G H(s). In view of the 
inductive hypothesis, it suffices to show that if t is yl-reachable from s in M! , 
then <p G -ff(i). So, assume that either s — t or, for some n > 1, there exists a 
sequence of states s = Sq, si, . . . , s„_i, s n = t such that, for every < z < n, 
there exists a,i £ A such that (si,Si + i) G ft^ 13 . In the former case, the desired 
conclusion follows from|(CHl) In the latter, we can show by induction on i, for 



and (CH1)| that D 0j C^ip G H(si). Then, in particular, 



< i < n, using |(CH3) 

'D an _ 1 CA(p G H(s n -i), and again, by (CH3) D an _ 1 CA l fi G H(t) and thus by 
(CH1)| C A y? G H(t) and y? £ g(f). 

Assume, on the o ther hand, that ^Ca<P 4- H( s )- Then, the desired conclusion 
follows from (CH4) the inclusion TZ^ Q TZ'a > an d the inductive hypothesis. 



We now prove that satisfiability in a pseudo-CMAEM implies satisfiability 
in a CMAEM. To that end, we use a modification of the construction from [TOl 
Appendix Al] to show that if 9 is satisfiable in a pseudo-CMAEM, then it is 
satisfiable in a "tree-like" pseudo-CMAEM that actually turns out to be a bona 
fide CMAEM. To present the proof, we need some preliminary definitions. 



Definition 12. Let M = (S,S,{TZ^}Aev+{E),{T^A}Aev+(E), AP ,L) be a (-pseudo-) 
CMAEM and let s,t G S. A maximal path from s to t in Ai is a sequence 
So, Ao, Si, A%, . . . , s n _i, An-i, s n where s = sq and t = s n , such that n = and 
s = t or, for every < i < n, (sj,Sj-|_i) G TZa > ^ (sjjSi+l) G VJ^ does not 
hold for any B with Ai C B C S . A segment p' of a maximal path p starting 
and ending with a state is a sub-path of p. 



Notice that, in general, there might be several maximal paths between a pair 
of states. 

For a path r = so, Aq, s±, . . . , s„_i,i n _i, s n , we denote by tu the sub-path 
of r starting in sq and ending in s,, i.e. ru = s , A , Si, . . . , Ai_i, Sj and by |r| 
the length of r, i.e. n. We denote the last element of a path t, which is a state, 
by 1(t) and the second last element of r, which is a coalition, by sI(t). 

Lemma 4. Lei 6 be a CM AEL (CD) -formula satisfiable in a pseudo-CMAEM; 
then, 6 is satisfiable in a CMAEM. 

Proof. Suppose that 9 is satisfied in a pseudo-CMAEM M. at state s. Let 
M s = (S,S,{TZ^} A ev+(E)A'^-A}Aev+(s),^'P,L) be the submodel of M gener- 
ated by s. Then, A4 S , s lh 9 since A4 S and are locally bisimilar at s. Next, we 
unravel M s into a model M* = {S , S* , {U* ^} Aev+ (e)A'^* ( a\ Aev+ (E), ^ , L*), 
as follows. 
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First, call a maximal path p in M s an s-max-path if the first component of 
p is s, and let S* be the set of all s-max-paths in Ai s . Notice that s by itself is 
an s-max-path with i(s) = s. 

For every A G V + {S), let 

K'J? ={(p,r)\ P ,teS*, t, | T |_j = p and sl(r) Di}, 

i.e. (p, r) G 72. if r extends p with one step labelled by a coalition containing 
A Next, let be a reflexive, symmetric, and transitive closure of ■ Notice 
that (p, t) G 72.*^ holds for two distinct paths p and r iff there exists a sequence 
Po, ■ ■ • , p n € S 1 * with p = po and r = p„ such that for all i < n, either (p^ p,:+i) G 
72.^ or (pi + i,pi) G TZ'a ■ It then follows that the following downward closure 
condition holds: 



(DC) If (p,r) G 7e*^ and BU, then (p,r) G 7e*£. 

The relations 1Z* ^ are defined as in any CMAEF. To complete the definition 
of M*, we put L*(p) = L(l(p)), for every p G S* . Notice that M* is tree-like in 
the sense that the structure (S* , {H'®} Aev+ (e)) is a tree- 
By this construction we basically remove all 'non-maximal' edges between 
two vertices from the part of the given pseudomodel that can be reached by 
the given state s. Then we build paths by starting in s and then traversing the 
resulting graph via the edges. E.g., if we consider the pseudo-model A4 in Figure 
[TJ and we let the top-left-most state be s, then Ai, s II — <T) a ^pA T)\,q. S* will in 
this case be all paths starting in s and following the links in the graph. 



^-A {a, 6} 
{a, b} s -i >■ r 

V -" A 

{a},{b} 




{a,b} 



{a.b} 

I.e. p — (s, {a, &}, s, {a}, t) and r = (s, {a, &}, r, {6}, t) are in S*, while p' = 
(s,{a},s,{b},t)^S*. 

We have (p,r) £ 7£*f , (p,r) £ 7£*f and (p,r) ^ 7e*f fc . On the other hand, 
(r, {s,{a,b},r,{a,b},s)) EK*°. 

In this example, L*(p) — L*(t) d =' = {p, q}. 

It is clear from the construction, namely from (DC), that Ai* is a pseudo- 
CMAEM, and in the following, we will show that condition (f ) of Definition [2] 
also holds, so that M* is a CMAEM. 

First, we notice that, since Ai* is tree-like, we have (p, r) G 72.*^ iff there 
exists k > 0, with /c < |p| and fc < |r|, such that 



and 



for all k < i < |r| and k < j < \p\,A C s^r^) and A C sl{p\j). 



(1) 
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2 A D A 




Fig. 2. The situation from ([T]) drawn in M, i.e. the dots/circles belongs to S, and the 
links are links in 1Z 



(The situation is depicted in Figure [2]) As stated, we have to prove that 
K*A = fl aeA^*a for ever y A € The left-to-right inclusion immediately 

follows from (DC). For the converse, assume that (p, r) G 72.*^ holds for every 
a G A. Then, for every a € A, according to ([I]), there exists k a > such that 
P\k a = T\ ka and {a} C sZ(t|j), si(P|j) for ever y l T l > * > fc a and every \p\ > j > k a . 
Now, let k be the largest k a satisfying this condition (such a k exists since M* 
is tree-like). Then, p\ k — T| fc , and for every a E A, the inclusions {a} C sZ(ru) 
and {a} C sl(py) hold for every |t| > i > k and every \p\ > j > k. Therefore, 
condition ([lj is fulfilled for A and k, and hence (p, r) G 7?.*^, as desired. 

Finally, it remains to prove that M.* satisfies 9. From we see, that if 
(p, t) e 7^*2, then (l(p),l(r)) € 72.^, since every is an equivalence relation. 
It is now easy to check that the relation Z = { (p, i(p)) | p G S 1 * } is a bisimulation 
between At* and .M s . Since (s, i(s)) € Z, it follows that s lh 0, and we are 
done. 

Theorem 1. Let 9 be a CMAEL(CD)-formula. Then, 9 is satisfiable in a 
CMAEHS iff it is satisfiable in a CMAEM. 

Proof. Immediate from Lemmas [2j [3j and [4] 

4 Tableau procedure for testing satisfiability in 
CMAEL(CD) 

In this section, we present our tableau algorithm for checking (constructive) sat- 
isfiability of formulae of CMAEL(CD). We start off by explaining the general 
philosophy underlying our tableau procedure and then present it in detail. 



4.1 Basic ideas and overview of the tableau procedure 

Traditionally, the propositional tableau method works by decomposing the for- 
mula whose satisfiability is being tested into its a-, resp. (3- components - re- 
peatedly, until producing all full expansions of that formula. All these compo- 
nents belong to the closure of the input formula. When the closure is finite (as 
it is usually the case with modal and temporal logics) the termination of the 
tableau-building procedure is guaranteed because there are only finitely many 
full expansions. 



14 



Furthermore, in the tableau method for the classical propositional logic that 
decomposition into components produces a tree representing an exhaustive search 
for a Hintikka set, the propositional analogue of Hintikka structures, for the in- 
put formula. If at least one branch of the tree remains open, it produces a full 
expansion of the input formula, which is a Hintikka set for this formula. In this 
case, the formula is pronounced satisfiable; otherwise, it is declared unsatisfiable. 
In the case of modal and temporal logics, local decomposition steps, producing 
full expansions, are interleaved with steps along the accessibility/transition re- 
lations, producing sets of formulae that are supposed to be true at successors of 
the current state. These sets are subjected, again, to local decomposition into 
components, eventually producing their full expansions, etc. In order to distin- 
guish fully expanded sets from those produced after transition to successors, we 
will deal with two types of nodes of the tableau, respectively called 'states' and 
'prestates'. In order to ensure termination of the construction process, we will 
systematically reuse states and prestates labelled with the same sets of formulae. 

The tableau procedure for testing a formula 9 for satisfiability attempts to 
construct a non-empty graph T (called itself a tableau) representing "sufficiently 
many" CMAEHSs for 9 in the sense that if 9 is satisfiable in any CMAEHS, then 
it is satisfiable in a CMAEHS represented by the tableau. The procedure consists 
of three major sub-procedures, or phases: construction, prestate elimination, and 
state elimination. During the construction phase, we build the pretableau V e — 
a directed graph whose nodes are sets of formulae of two types: siate^] and 
prestates, as explained above. States represent (labels of) states of the CMAEHSs 
that the tableau attempts to construct, while prestates are only used temporarily, 
during the construction phase. 

During the prestate elimination phase, we create a smaller graph 7q out of 
V® , called the initial tableau for 9, by eliminating all the prestates of V and 
adjusting its edges, as prestates have already fulfilled their role of keeping the 
graph finite and can, therefore, be discharged. 

In the case of classical propositional logic, the only reason why it may turn 
out to be impossible to produce a Hintikka set for the input formula is that 
every attempt to build such a set results in a collection of formulae containing a 
patent inconsistency. In the case of logics with fixpoint-dcfinable operators, such 
as CMAEL(CD), there are two other reasons for a tableau not to correspond 
to any Hintikka structure for the input formula. The first one has to do with 
realization of eventualities — formulas of the form ^C^tp, whose truth condition 
requires that —tip "eventually" becomes true — in the tableau graph. Apply- 
ing decomposition rules to eventualities in the construction of the tableau can 
postpone indefinitely the realization by keeping "promising" that the realization 
will happen further down the line, while that "promise" never becomes fulfilled. 
Therefore, a "good" tableau should not contain states with unrealized eventu- 

7 From now on we will use the term "state" in two related but distinct senses: as a 
state of a tableau and as a state of a semantic structure (frame, model, Hintikka 
structure). The use of term "state" will usually be clear from the context or explicitly 
specified. 
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alities. The other additional reason for the resultant tableau not to represent a 
Hintikka structure is that some states do not have all the successors they would 
be required to have in a corresponding Hintikka structure (for example, because 
those successors have been removed for not realizing eventualities). 

During the state elimination phase, we remove from 7q all states, if any, that 
cannot be satisfied in any CMAEHS for any of the reasons suggested above and 
discussed in more detail further (excluding patently inconsistent sets, which are 
removed "on the fly" during the construction phase) . The elimination procedure 
results in a (possibly empty) subgraph T of 7q , called the final tableau for 8. If 
some state A of T 9 contains 0, it is declared satisfiable; otherwise, 9 is declared 
unsatisfiable. 

The logic CMAEL(CD) involves modal operators over equivalence rela- 
tions, and thus invokes some typical complications in the tableau-building pro- 
cedures associated with inverse- looking modalities, see e.g. |19j : every box occur- 
ring in the label of a descendant state has a backwards effect on all predecessor 
states, inch the current state. In order to deal with these complications we must 
cither organize a mechanism for backtracking and backwards propagation of box- 
formulae, or a mechanism for anticipation of the occurrence of such boxes in 
the future, coming from subformulae of formulae in the label of the current 
state, based on analytic cut rules. We will adopt here the latter approach, which 
is easier to describe and implement into what we call a diamond-propagating 
procedure, by employing suitably restricted analytic cut rules to maintain the 
efficiency of the procedure, but later we will briefly discuss the former alterna- 
tive, too. The two procedures only differ in the construction phase; the prestate 
and state elimination phases are common to both. The need and use of analytic 
cut rules is illustrated later in Example [4] 

4.2 Cut-saturated sets and expansions 

The application of the analytic cut, mentioned above, is implemented by impos- 
ing an additional cut-saturating rule on the construction of the full expansions of 
a given set of formulae. In order to prevent the unnecessary swelling and prolif- 
eration of states, we will restrict the application of that rule by imposing generic 
restrictions which, on the other hand, should be sufficiently relaxed to guarantee 
the completeness of the tableau procedure. These generic conditions, which will 
be specified later, will be imposed separately on the two types of box-formulae 
in CMAEL(CD), viz. D^-formulae and on C^-formulae. 

Definition 13. Given restrictive conditions C\ and C2, a set A of CMAEL( CD)- 

formulas is (Ci, C2)-cut-saturated if it satisfies the following conditions, where 
Sub(ip) is the set of subformulae of a formula if): 

CSO A is fully expanded (recall Definition^. 

CS1 For any DaP € Sub(^) where if> € A, if condition C\ holds then either 

T>Af € A or ^DaP € A. 
CS2 For any CaP € Sub(-0) where ip € A, if condition C2 holds then either 

Cap £ A or ^C A ip <E A. 
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We note that |CS1| and |CS2| are semantically sound rules, no matter what 
C\ and C'2 are, as they cannot make a tableau closed if the input formula is 
satisfiable. On the other hand, if C\ and Ci are too strong, that may prevent 
the tableau from closing and thus yield an incomplete tableau procedure, as will 
become apparent later. Again, the reason we would want to make C% and C2 as 
strong as possible is to avoid branching on too many formulae, causing an un- 
necessary large state space and resulting in a practically less efficient procedure. 

Hereafter, we will omit the explicit mention of the conditions C\ and C2, 
unless necessary. In fact, for now we can assume both C\ and C2 to be True, but 
later we will introduce non-trivial restrictive conditions. 

Definition 14. The family CS£(r) of cut-saturated expansions (CS-expansions) 
of a set of formulae r is defined by expanding the procedure FullExpansion with 
the following two set-replacement rules, again applied to a non-deterministically 
chosen set <1> from the current family and a formula tp € 

1. For any formula D^<p that is a subformula of ip such that C\ is satisfied, 
replace with the two extensions of<P obtained by adding respectively T)a<P 
and -iD^</j to it. 

2. For any formula Ca<P that is a subformula of ip such that C2 is satisfied, 
replace <P with the two extensions of <P obtained by adding respectively Ca<P 
and ^Ca^P to it. 

It is clear from the definition that all sets in CS£(r) are (Ci,C2)-cut- 
saturated . 

Definition 15. The extended closure of 9, denoted ecl(#) ; is the smallest set 
such that ip, -^ip € ec\(9) for every ip £ c\(9). The extended closure ecl(-T') of a set 
of formulae r is defined likewise. 

The following is immediate from the definitions. 

Lemma 5. Every CS-expansion of a set of formulae r is a subset ofec\(r). 

Lemma 6. For any CMAEL(CD)-formula 9, the size of (i.e., number of for- 
mulae in) the extended closure of 9 is 0(k - \9\), where k is the number of agents 
occurring in 9. 

Proof. Straightforward. 

Construction phase As already mentioned, a tableau algorithm attempts to 
produce a compact representation of "sufficiently many" CMAEHSs for the in- 
put formula; in this attempt, it sets in motion an exhaustive search for such 
CMAEHSs. As a result, the pretableau V 6 built at this phase contains two 
types of edge, as well as two types of node (states and prestates; see above). 

One type of edge, depicted by unmarked, dashed uni-directed arrows — - 
represents the search dimension of the tableaux. The exhaustive search consid- 
ers all possible alternatives arising when prestates are expanded into states by 
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branching in the "disjunctive" cases. Thus, when we draw unmarked arrows from 
a prestate r to each state from a set of states X, this intuitively means that, in 
any CMAEHS, a state satisfying r has to satisfy at least one of the states in X. 

The second type of edge represents transition relations in the CMAEHSs that 
the procedure attempts to build. Accordingly, this type of edges is represented 
by solid, uni-directed arrows, — >, marked with formulae whose presence in one 
of the end nodes requires the presence in the tableau of the other end node, 
reachable by a particular relation. Intuitively, if -^T> A ip G A for some state A, 
then some (state obtained from a) prostate r containing -^ip must be accessible 
from A by relation 1Z A . We mark these arrows with the respective formulae 
-iDa<P in order to keep track of the specific reason for creating that particular 
state. That information will be needed during the elimination phases. 

We now turn to presenting the rules of the "diamond-propagating" construc- 
tion phase, each of which creates a different type of edge, as discussed above. 
The first rule, (SR), prescribes how to create states from prestates, while (DR) 
expands prestates into states. 

Rule (SR) Given a prestate r, such that (SR) has not been applied to it 
before, do the following: 

1. Add to the pretableau all CS-expansions A of -T; declare these to be states; 

2. For each so obtained state A, put r — » A; 

3. If, however, the pretableau already contains a state A' = A, then do not 
create a new state, but put r — ■ > A'. 

We denote by states(-T) the (finite) set { A | r — > A}. 

Rule (DR): Given a state A such that -^T> A ip G A and (DR) has not been 
applied to A with respect to ~^T> A (p before, do the following: 

1. Add to the pretableau the set T = {^} U {T) A >ip G A \ A 1 C A} U 
{ ->T> A 'ip G A | A' C A and -H A iii> ^ ->T> A <P } U { ^C A ^ G A \ A' n A ^ 
} and declare this set to be a prestate. 

2. Put A ^ r. 

3. If, however, the pretableau already contains a prestate i~" = _T, then do not 
create a new prestate, but put A 4 V J". 

When building a tableau for a formula 8, the construction phase begins 
with creating a single prestate {9}. Afterwards, we alternate between (SR) and 
(DR): first, (SR) is applied to the prestates created at the previous stage of the 
construction, then (DR) is applied to the states created at the previous stage. 

The construction phase is completed when every prestate required to be 
added to the pretableau has already been added (as prescribed in item 3 of 
(SR)) and (DR) does not apply to any of the states with respect to any of the 
formulae. 
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Example 1. Let us construct the pretableau for the formula 9 = ^D{ ac }C{ a i &}pA 
Cj a ij j(pA q), assuming that S — {a,b,c}. To save space, we replace 9 by the 
set of its conjuncts = {^D {ac} C {Q j, } p, C {a b} (p A q)}. 

Here and further on in the examples, we let Cap denote the set {Cap, p} U 
U aeA I) a CA<p- Figure [3] shows the pretableau for 0. 




Xa = -D a C {o() jp 
*b = ^ D b C {a,b}P 

r l = i^' D {a,ci C {a,b}f. C {a,b}(P A «)} 

^1 = {^ D {a,c} C {a,b}P> C {a,6}<P A <!), P, 3. C{ aib ).p} 

^2 = <^ D {a,c} C {a,6}P- C {a,b}<P A 9. ^ C { a ,b}P> ^ D " C {a,b} 



J' I 



f^ E> {a,c} C {a,6}P' C {a,6}(P A 9).P.9-^ C {a,6}P> ^b C { a , b } P > 



r 2 = {^C 
r 3 = {^C 



{a,6}P 
{a, 6} 



P. D fl C 



-{a,b} 
{a,b} 



(p A q),U a C 



{a, 6} 



P} 



(p A g), ^D a C 



{a,b} 



P) 



As = 



^ C {a,()}P' C {a 1 6}*P A nD Q C {(i,&}P} 
l nC («i)P' C {a,l}(P A - nD i C {a,l}P) 

<^ C {a,b}P' D £i C {a,b}(P A «)) 
{^ C {a,b}P- D b C {a,b}(P A ?)} 



Fig. 3. The pretableau for {^D{ aiC }C{ aji) }p, C{ a ,(,}(p A g)} 



Prestate elimination phase At this phase, we remove from pretableau V all 
the prestates and unmarked arrows, by applying the following rule (the resultant 
graph is denoted 7q and is called the initial tableau): 

(PR) For every prestate T in V e , do the following: 

1. Remove T from V B \ 

2. If there is a state A in V 9 with A -^-» T, then for every state A' € states(T), 
put A A'; 

Example 2. We continue Example [T] by creating the initial tableau for — 
{^D{ a jC }C{ a b }p, C{ a j,}(pA q)} out of the pretableau in Figure p| Again we let 
Cap denote the set consisting of Cap and its a-components. Figure |4] shows 
the resulting initial tableau. 

State elimination phase During this phase, we remove from Tq states that 
are not satisfiable in any CMAEHS. Of course, when a state is removed, so are 
all of its incoming and outgoing arrows. 
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X 



{a,a} C {a,b} P 





{^ D {a,c} C {a,b}P- C {a,b}(P A «). P. «• C {a,b}P> 

<^ D {a,c} C {a,t.}P- C {a,ti}(P A 'i) - P'«'^ C {o,!,}P' ^ D " C {a,b}P> 



{^ C {a,6}P. C {a,b}(P A< !),P,<!, ^ D aC {a (,jp} 
< ^ C {a,6}P. C {a,b}<P A «)■»• ^ D b C {o,b}P> 



{^ D {a,c} C {a,6}P' C {a,b}<P A< j).P.9.^ C {o,b}P> ^ D 6 C {o,b}P> 



Fig. 4. The initial tableau for {^D {ajC} C {£lif)} p, C {ajf)} (p A g)} 

There are two reasons why a state A of 7^ might turn out to be unsatisfiable: 
cither because A needs, in order to satisfy some diamond-formula, a successor 
state that has been eliminated, or because A contains an eventuality that is not 
realized in the tableau. Accordingly, we have two elimination rules (El) and 



Formally, the state elimination phase is divided into stages; we start at stage 
with T®] at stage n+1, we remove from the tableau 7% obtained at the previous 
stage exactly one state, by applying one of the elimination rules, thus obtaining 
the tableau 7^f +1 . We state the rules below, where denotes the set of states 



(El) If A e S„ contains a formula \ — -, Da¥> such that there is no A A', 
where A' € S„, then obtain 7^f +1 by eliminating A from 7%. 

For the other elimination rule, wc need the concept of eventuality realization. 

Definition 16. The eventuality £ = ^CaV is realized at A in T„ if either 
-up G A or there exists in T® a finite number of states Aq, A\, . . . , A m such 
that A = A: -«f e A m ; and, for every < i < m, £ € Ai and there exists 
Xi — ->T>aiipi such that ai e A and Ai A i+ i. 

We can now state the rule. 

(E2) If A € contains an eventuality -iCa<P that is not realized at A in 
7^f , then obtain 7^f +1 by removing A from 7^f . 

We check for realization of ^C^iyS by running the following, global procedure 
that marks all states of T® realizing ^C^f in T® ■ Initially, we mark all A £ S„ 
such that e A. Then, we repeatedly do the following: if A £ S„ contains 

->Ca<P and is unmarked yet, but there exists at least one A' such that A A', 
for some formula ip and a e A and A' is marked, we mark A. The procedure 
is over when no more states get marked. Note that marking is carried out with 
respect to a fixed eventuality £ and is, therefore, repeated each time we want to 
check realization of an eventuality (see reasons further) . 



(E2). 



oil*. 
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We have so far described elimination rules; to describe the state elimination 
phase as a whole, we need to specify the order of their application. We have to be 
careful since, having applied (E2), we could have removed all the states accessi- 
ble from some A along the arrows marked with some formula \\ hence, we need 
to reapply (El) to the resultant tableau to remove such Zi's. Conversely, after 
having applied (El), we could have thrown away some states that were needed 
for realizing certain eventualities; hence, we need to reapply (E2). Moreover, 
we cannot terminate the procedure unless we have checked that all eventualities 
are realized. Therefore, we apply (El) and (E2) in a dovetailed sequence that 
cycles through all the eventualities. More precisely, we arrange all eventualities 
occurring in the states of T® in a list £1, ...,£ m . Then, we proceed in cycles. 
Each cycle consists of alternatingly applying (E2) to the pending eventuality 
(starting with £1), and then applying (El) to the resulting tableau, until all the 
eventualities have been dealt with. These cycles are repeated until no state is 
removed throughout a whole cycle. When that happens, the state elimination 
phase is over. 

The graph produced at the end of the state elimination phase is called the 
final tableau for 9, denoted by T e , and its set of states is denoted by S . 

Definition 17. The final tableau T e is open if 9 e A for some A 6 S e ; other- 
wise, T is closed. 

The tableau procedure returns "no" (not satisfiable) if the final tableau is 
closed; otherwise, it returns "yes" (satisfiable) and, moreover, provides suffi- 
cient information for producing a finite model satisfying 9; that construction is 
sketched in Section PT2l 

Example 3. We will continue to make the final tableau for the formulae con- 
sidered in Example [T] and Example [2j The state elimination procedure starts 
with the initial tableau given in Figure [4] During the state-elimination phase, 
state A\ gets removed due to (El), since it does not have any successor states 
along an arrow labelled with x> while states A2, A$, A4 and A$ are eliminated 
due to (E2), as all of them contain the unrealized eventuality ^C{ a .b}P- Thus, 
the final tableau for (9 is an empty graph; therefore, & is unsatisfiable. 

5 Soundness and completeness of the tableau 
5.1 Soundness 

Technically, soundness of a tableau procedure amounts to claiming that if the 
input formula 9 is satisfiable, then the final tableau T e is open. 

Before going into the technical details, we give an informal outline of the 
proof. The tableau procedure for the input formula 9 starts off with creating 
a single prestate {9}. Then, we expand {9} into states, each of which contains 
9. To establish soundness, it suffices to show that at least one of these states 
survives to the end of the procedure and is, thus, part of the final tableau. 
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We start out by showing (Lemma [7| that if a prestate T is satisfiable, then 
at least one state created from T using (SR) is also satisfiable. In particular, 
this ensures that if 9 is satisfiable, then so is at least one state obtained by (SR) 
from {9}. To ensure soundness, it suffices to prove that this state never gets 
eliminated from the tableau. 

To that end, we first show (Lemma|8]) that, given a satisfiable state A, all the 
prestates created from A in accordance with (DR) — each prestate being associ- 
ated with a formula of the form ^D^</? — are satisfiable; according to Lemma [7j 
each of these prestates will give rise to at least one satisfiable state. It follows 
that, if a tableau state A is satisfiable, then every successor of A in the ini- 
tial tableau will have at least one satisfiable successor reachable by an arrow 
associated with each formula of the form -^Da 1 P belonging to A. Hence, if A is 
satisfiable, it will not be eliminated on account of (El). 

Second, we show that no satisfiable states contain unrealized eventualities 
(in the sense of Definition [l6| ) , and thus cannot be removed from the tableau 
on account of (E2). Thus, we show that a satisfiable state of the pretableau 
(equivalently, initial tableau) cannot be removed on account of any of the state 
elimination rules and, therefore, survives to the end of the procedure. In partic- 
ular, this means that at least one state obtained from the initial prestate 9, and 
thus containing 9, survives to the end of the procedure. Hence, the final tableau 
for 9 is open, as desired. 

We emphasize again that the claims mentioned above, and their proofs, do 



not depend on the application (or not) of the cut rules CS1 and CS2 because 
they are sound, since 7 V ^7 is valid for any formula 7. Therefore, these results 
are unaffected by the restrictive conditions C± and C2 for their application. 
We now proceed with the technical details. 

Lemma 7. Let F be a prestate of V e such that M,s lh T for some CMAEM 
M and s 6 M. Then: 

1. Ai, s lh A holds for at least one A £ states(F). 

2. Moreover, if -^Ca^P £ T and A4,s lh -itp, then A can be chosen so that 

-up e A. 

3. If-iCA<f £ r while none of —iGa<p's ^-components are in T, then for every 
a £ A, if A4, s II — iD a CA^ then A can be chosen so that either ^DaC^i/? £ 
A or ^ip £ A. 

Proof. Straightforward from the definition of CS£(r) and using Proposition [2j 

Lemma 8. Let A £ S® be such that M,s lh A for some CMAEM M and 
s £ M., and let £ A. Then, there exists t £ A4 such that (s,t) £ TZ^ 

and A4,t\\~ T, for a set T defined according to the rule (DR) applied to A and 
->Da<P : 

r = {^ip} U { T> A 'ip G 2\ I A' C A} U { ->T>A>ip G A I A' £ A and ->T) A '^ + 

nD iV } u {^c A >i>eA\ A'nA^®} 

Proof. Easily follows from the semantics of the epistemic operators and the 
definition of CMAEM. 
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Lemma 9. Let A € S®, let^CAP, ^DqCaV 5 G arl <^ ^ furthermore, A Ti j^S^ v 
F for some prestate r £ V e . Assume that M, s Ih A and (s, s') S 7^.^, /or some 
model M. and a pair of states s, s' € VW; i/ien At, s' Ih J 1 . 

Proo/. Recall from the rule (DR) that T = {^Ca<^} U {D a 7 | D a 7 G Z\} U 
{ -D a7 | -D a7 e A -D a7 ^ -D a C A(/3 } U { -C a7 I -C a7 £ A}. The claim 

follows easily, because is an equivalence relation. Indeed, M,s' II >Ca<P 

because every yl-reachable state from s is A-reachable from s' , too. Moreover, 
(s',s") e H° iff (s,s") e for all s". Therefore, M,s' Ih X for all x € 

Lemma 10. Lei A £ S% be such that M,s Ih A for some CMAEM M and 
s £ M, and let ->Ca<P G A. Then there is a finite path in S® of satisfiable states 
that realizes ^CaP at A. 

Proof. We start by proving the following: 

Let ^CaP € A for some prestate Ji £ "P e such that I\ does not con- 
tain any of the /3-components of -^CaP- Suppose that M.,s\ Ih fi, 
and let S! — i> s 2 • ■ • s n be a shortest path in .M that sat- 
isfies ^Ca<£>, i.e., Ai,s n Ih and for all i < n, the following hold: 
Ai,Si Ih {^CaV, (p}, and (si,Si+i) £ for some a* £ A Then there 
exists a path 

Zli S- Zi 2 > ... >• Zi n ', 

of satisfiable states in <Sq, where n' < n, A\ £ states(ii) and -199 e Zi„/. 
We prove the above claim by induction on n. 

If n = 1, then A4,Si II up. Since e J 1 ! and M.,s\ Ih Z\, Lemma [7] 

implies that there is a A\ £ states(Ti) such that .M,si Ih Z\i and ->(/3 g A\. 
Thus Z\i is the needed path in S® that satisfies the claim above. 

Assume now the claim holds for all m < n. Let ^CaP G ii, let M., Si Ih J\, 
and assume that none of ^CaV?' s /3-components are in r\. Let the path in M. 
satisfying the eventuality -<CaP be si s 2 — ^ ■ ■ • — — > s„, where n > 1. 

Since .M, si Ih {^D ai CA</?, ^Ca</?}, Lemma [7] implies the existence of A\ € 
states(Ti) in <5>q with A4, si Ih Z\i, and ^D Ql CA<y9 € Z\i or ->ip e At. In the 
latter case, A\ is the needed path. In the former case, due to Lemma |8j there 

exists a prestate r 2 £ T , with A — >• Z2; then, ^CaV 5 € ^2- Note that 
7^2 cannot contain any of ^Ca^'s /3-components, since Ai contains ^D Qi Ca¥>, 
and thus, it can contain at most one other /3-component, namely —up. But in 

that case we would have that M,si II up, which contradicts the assumption. 

Lemma [9] gives us A4, S2 H~ ^2- 

Thus, since s 2 • ■ • s n is a path of length n — 1 that realizes ^Ca^ 
at s 2 , the induction hypothesis claims that there is a path of satisfiable states 



in S», 



Zl 2 5" • • ■ > A r 
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where n' < n — 1, A 2 £ states^), -<<p £ A n >. 

Since J\ — » A 1 — > r 2 — ■ » A2, we obtain a path in S$ of length atmost 
n that satisfies the induction hypothesis. 
That concludes the induction. 

Getting back to the claim of the Lemma, we have that if ^Ca^P £ A, then 
either -^ip £ A or there exists an a' £ A such that ^Da'C^i/' £ A, since A is fully 
expanded. In the former case, ~^Ca<P is realized in A and the claims follows. In 

the latter case, there will be a prestate r in T e , such that A D ^1 C > A¥ ' r. Note 
that in this case r C A. Due to (DR) and the fact that -199 ^ A, T cannot 
contain any of -^Ca<p's ^-components. 

Thus, the statement above gives us that there there is a A — > r — > Ai — > 
. . . — > A n ', i.e. there is a path of satisfiable states in £>q, that realizes ~^Ca<P £ A. 

Theorem 2. If 6 £ C is satisfiable in a CMAEM, then T 6 is open. 

Proof. Using the preceding Lemma [8] and Lemma [10} one can show by induction 
on the number of stages in the state elimination process that no satisfiable state 
can be eliminated due to (E1)-(E2). The claim then follows from Lemma [7] 

5.2 Completeness 

The completeness of a tableau procedure means that if the tableau for a formula 
9 is open, then 9 is satisfiable in a CMAEM. In view of Theorem [lj it suffices 
to show that an open tableau for 9 can be turned into a CMAEHS for 9. In 
order to prove that, we need to specify sufficiently strong restrictive conditions 
\Ci\ and IC2I governing the application of the cut rules |CS1| and |CS2| respectively 
on formulas ~Da<P and Ca'P in the Definition [13] of cut-saturated sets. We now 
specify these conditions as follows. 

C\ Cut on Da<P £ Sub('0) where tp € A, if either of the following holds: 

Cn V = Db<5 or i/j = -^DbS, and there is a -iDge £ A such that A C E 
and B C E. 

C12 ijj — ~^CbS and there exists a -~T)e£ £ A such that A<£ E and BdE ^ 0. 
C2 Cut on Ca<P £ Sub("0) where ip £ A, if either of the following holds: 

C21 ijj — T>b8 or ijj — ^Db<5, and there exists a ^D^e g Zi such that B C E 
and A n £ ^ 0. 

C22 ^ = and there exists a ^D^e £ A such that AO E ^ and 

Bn£^0. 

The intuition: a cut rule only has to be applied to a formula Da<P or Ca<P if: 

(i) that formula can occur in the label of a descendant state and, 

(ii) once it occurs there, it will have an effect spreading back to the current state. 

For the former to happen, that formula must occur in a D^-formula or 
a -iD^-formula or a ^C^-formula. For the latter, the path leading from the 
current state to that descendant must be labelled with relations propagating the 
effect of the respective box. 
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Example 4- This example illustrates the need for applying cut rules and using 
cut-saturated sets instead of simply fully expanded sets. First, recall the re- 
quirement of the relations in a (pseudo-)CMAEL(CD) model to be equivalence 
relations, reflected in (CH3) of Definition 10 for Hintikka structures. Now, con- 
sider the tableau constructed for the formula 9 = —n^ a ^p/\—iTis a ^ c \-iTi a p if we 
would only use fully expanded sets: 



hp} 



{0, ^D {ajfc} p, ^D {QiC} ^D Q p} 

{^D Q p, T>aP,p} 



The corresponding claimed Hintikka structure and (pseudo)-model, that this 
tableau would produce (see the construction in Lemma |l2[ ) would then be, re- 
spectively: 




In the "Hintikka" -structure to the left, we have that T) a p is in the state 
in the bottom right corner, but not in the state in the top, though the edge 
connecting them is labelled with {a, c}. This on the other hand means, that 9 
is not satisfied in the "model" to the right, because T) a p does not hold at any 
state, hence ^D{ Q c j^D a p in not true at any state. In fact, 9 is not satisfiable 
at all. 

If we would indeed apply the cut-rules then the tableau for 9 would close. 
The pretableau for 9 would look as follows. 

{^p, -D a p} > {^p, -D a p} 




Notice that some of the prestates (namely {^p,T> a p} and {^D a p, ^D Q p}) do 
not have any full expansions since these are patently inconsistent. After the 
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initial tableau has been build, this then causes the two states in states(0) to be 
deleted by (El) and the final tableau is 



^D tt p 



which closes. 



The following lemma is needed to ensure that the satisfaction of the condition 



(CH3) from the definition of Hintikka structures for CMAEL(CD) is guaranteed 



in the final tableau. 

Lemma 11. Suppose A — > v A' in the final tableau T e for some input formula 
9 and suppose that DbV S A where B C A. Then D^^i G A. 



Proof. First, note that if the cut rules CS1 and CS2 are applied unrestrictedly 



to every subformula D_a^j or C^V 5 °f a formula in the label of the current state 
A, the proof of the lemma is immediate. We will show that the claim still holds 
if the restrictions C\ and C2, specified above, are imposed. 

For a formula a we let CSi(a) be the set of all formulae that can occur in 
any one-step cut-saturated expansion of a according to the procedure described 



in Definition 14 Similarly CSi(/ n ) = Uaer CSi(a) for a set r of formulae, and 
recursively welet CS„(T) = CSi(CS„_i(T)). As is easy to see, this construction 
converges, and the following is true: 

— For any formula a and any n G N, CS„(a) C eel (a), i.e.: 

CS„(a) C {0, -,0 I g Sub(a) } U { T> e C E s, -D e C B e \ C E e & Sub(a), e e E } 

— For any cut-saturated expansion Q of r there is an n such that fl C CS n (r). 

— If (3 G CS„(r), then there is an a G T, such that (3 G CS„(a). 

Now, let -T be the prestate in the pretableau V 6 that gives rise to the relation 

between A and A', i.e. A r A' in V e . The above gives us that since 

A' is a cut-saturated expansion of T and DbV" G there is an a 6 r such 
that DsV' £ eel (a). That is, either D^?/; € Sub(a), or D_g^> = D^Cd^ for a 
Cp5 G Sub(a) and a d G D. 

Since a G i -1 , due to (DR), either a = T>cl G Z\ or a = ^Dc7 G Z\ for a 
C C A, or a — ~^Ccj G A where C n ^4 7^ 0, or a = We notice that it is 
enough to show that |Ci| is applicable to D^V" a t A since then either Dsip G A 
(which is what we want) or -^Dgijj G A; the latter would, according to (DR), 
imply that -^T)b4 ) G -T C A', which would cause A' to be patently inconsistent, 



which contradicts A' being a cut-saturated set and thus fully expanded (cf. CSO ). 
We split according to cases: 

Case 1: a = D C 7 G A or a = ^D C 7 G A for a C C A: D B V G ecl(D C 7) 
gives that G Sub(Dc7), or = D^C^x? for a Cd<5 G Sub(Dc7), where 

dG.D. 



2G 



In the first case, D^t/i is a subformula of a Dp-formula in A, and since 
C,B C A and —>T)a 1 P G ^, |Ci | is applicable to D^?A at A. 

In the second case, DbiP — D^CdJ for an CpS € Sub(Dc7) with d E D. 
Since i? = {<i} C A, we have d E D D A and hence C2 is applicable to Cd<5 at 
Zi, as we also have CCA and —>T)a 1 P € This means that either Cd<5 € A 
or -nC^ € Z\ ac cording to [CSg} If C D <5 € Z\, then = ^>dC D S E A 

If ^C£)i5 E A, then according to (DR), -^CpS E r since 
However, D_bV — D<jC.d5 € r, and hence C£i<5 g A'. This gives us 



according to CSO 
d E Df)A. 

a contradiction, as A' is fully expanded and, thus, not patently inconsistent. 
The case where a = ->T)c"f is similar. 



Case 2: a = -iip: T>b4' € ecl^^). We have two cases to consider: 

Either D^?/; S Sub(^t^), in which case DbV> <= Sub(<^) C Sub(-iD^) and 
thus Ci is applicable (since B,AC A). 

T>Btj) = T>dCo& for an Cjj6 E Sub(^ip) and d E D gives that CpS £ 
Sub(y) C Sub(^D J 4(p), and thus C2 is applicable to Cd<5 at zi since, again, 
d E DnA and AC A Then, either C D S E A or ~^C D 8 E A. As before, the former 
implies that Tigij) E A, as desired, while the latter leads to a contradiction. 

Case 3: a = ^C C 7, where C n A ^ 0: 

DbV^ € Sub(^Cc7) immediately gives that Ci is applicable to D^t/i at A. 

If DsV = D,jCd(5, where CpS E Sub(^Cc7) and d E D, then Ci is appli- 
cable to CdS at A, as d e D n A and -iD^y) e A Thus, either C.d<5 e Z\ or 
-iCd<5. The former implies that, due to |CSO[ E A, as desired, while the 



other gives a contradiction, due to (DR) and CSO 



Lemma 12. If T e is open, then there exists a CMAEHS for 9. 



Proof. The needed Hintikka structure H for the formula 9 is built out of the 
final tableau T e by renaming the relations between the states, such that they 
correspond to a subset of E. This is done by labeling the edges from A to A' 
with the set A for which A A' in T e . 

Now, let E be the set of agents occurring in 9, and let S — S e . For any 



AEV^ 



(E), let iVi 



= {(A,A')eSxS \ A 



A' for some <p }, and let 7Z 



c 

A 

be the reflexive, transitive closure of (J bcaT^-b- Let L(A) be the labelling of 
the state in T, i.e. the sets of formulae that has been associated with A. 
Finally, let Hg = (E, S e , {Tl^} AeV+(s) , {R C A } AeV+(E) , AP, L). 
We will now show that He is a Hintikka structure. To that end, we have 
to prove (E, S,{TZ A }Aev+(E),{'R-A}Aev+(E)) is a CMAES, and that condi- 
tions (CHl)f(CH4) of Definition 10 hold for H. The former is clear from the 
construction of %. 

holds since all states in the final tableau are fully expanded, 
is satisfied since, otherwise, the state would have been deleted from 



(CHI) 



(CH2) 



the tableau due to (El) 
Likewise 



(CH4) is satisfied since, otherwise, the state would have been re- 



moved due to (E2). 
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(CH3) holds. Let (A, A') e 1Z% (i.e. 



A' 



It remains to show that 
T e ), and B C A. We need to show that D B ^64oD fl ^6 Z\'. If T) B tf> e A 
then due to the propagation rule (DR), Dg^ 6 J 1 , where r is the prestate in 

-.D^jUJ 



the final pretableau, such that A '—^f r —■* A'. Thus D^V is a l so m A' since 
is included in all cut-saturated expansions of r. The other direction follows 
from Lemma [TT1 

Theorem 3 (Completeness). Let 8 € £ and iei T e &e open. Then, 8 is satis- 
fiable in a CMAEM. 



Proof. Immediate from Lemma 12 and Theorem [T] 



6 Complexity, efficiency, and possible optimizations of 
the tableau procedure 

6.1 Complexity 

The termination of the tableau procedure described above is a fairly straight- 
forward consequence of the finiteness of the set of all possible labels of states 
and prestates and their re-use in the construction phase. In this subsection, we 
estimate the worst-case running time of all phases of the procedure. 

We denote by \8\ the length of a formula 8 and by |ecl(0)| the number of 
formulae in ecl(0). Let \8\ = n and the number of agents occurring in 8 be k. 

By Lemma [6j |ecl(0)| < ckn for some (small) constant c. Then, the number 
of prestates and states in the tableau for 8 is 0(2 ckn ). Comparing two states or 
prestates takes 0(ckn) steps (assuming a fixed order of the formulae in eel (6), 
and each state being represented as a 0/1 string of length ckn), hence check- 
ing whether a prestate or a state has already been created, takes 0(ckn2 ckn ). 
Therefore, the construction phase takes time 0(ckn2 2ckn ). 

The prestate elimination phase takes time 0(2 ckn ). Checking realization of 
an eventuality in a state takes 0(2 ckn ) steps and the number of eventualities 
is bounded by n, hence the elimination of a 'bad' state takes at most (D(n2 ckn ) 
steps. Hence, the elimination state takes 0(n2 2ckn ) steps. 

We conclude that the whole tableau procedure terminates in 0(ckn2 2ckn ) 
steps, hence it is in EXPTIME, which is in compliance with the known EXPTIME(- 
complete) lower bound (see [5], [TP]). 



6.2 Efficiency 

Some features of the "diamond-propagating" procedure described above make it 
sometimes practically sub-efficient. 

Firstly, the application of the cut rules |CS1| and |CS2| can produce many 
cut-saturated sets, even after imposing the restrictive conditions C\ and C*2- 
Potentially, it can create a number of states that is exponential in the number 
of subformulae of the form or Ca^ occurring in the formulas of the input 

set r. 
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Secondly, when applying the rule (DR) to a state A with respect to some 
-iDj^ip, we propagate to the newly created prestate all the diamond-formulae 
of the form ^D^V; where B C A, except ^D^tp itself. Likewise, all formulae 
->C Aip where A and B are not disjoint, get propagated. Thus, the presence 
of a "diamond" in a prestate r is then passed on to all states in states(J n ), 
resulting in the need to apply the rule (DR) to every state in states(_T) with 
respect to this diamond; this, again, implies the creation of a large number of 
states (even though, as we have shown, the maximal number of states is still no 
more than exponential in the size of the input formula). However, we re- iterate 
that this 'diamond-propagation' is necessary for the procedure developed here, 
because if a diamond-formula is not propagated forward, then its negation, which 
is a box-formula, may be added to a successor state and thus clash with that 
diamond-formula in the current state. 

On the other hand, the restrictive conditions C\ and C 2 for the application 
of cut-saturation in the production of CS-expansions can have a very significant 
effect on the size of the tableau, as illustrated by the next example. 

Example 5. Suppose we want to build a tableau for the formula 9 = C{ a b jG a p — > 
->C{;, jC }Dhp = -^(C{ a fi}~D a p A C{f,. c }D{,p) and suppose that E = {a, b, c}. We 
start off with creating a single prestate {9}. Using only the unrestricted con- 
ditions C\ and C 2 to cut, applying the rule (SR) to this prestate produces an 
overwhelming number of 35 states: 

1. {6>, ^C {ajb} D a p, ^D a C {ajb} D a p, D a p,p, C {b|C} D b p }; 

2. {9, ^C{ aii ,}D a p, ^D a C {ajb} D a p, D a p,p, -iC{ btC }T) b p, ^D b C {f ,, c} D b p, D b p}; 

3. {9, ^C{ aii ,}D a p, ^D a C{ aj6 }D a p, D a p,p, -iC{ btC }T> b p, ^D b C{ b>c }D b p, ^D b p}; 

4. {9, ^C {aib} D a p, ^D a C {ajb} D a p, D a p,p, ^C {f , jC} D 6 p, ^D c C {bjC} D b p, T> b p}; 

5. {9, -^C{ a>b }~D a p, ^D a C {ajb} D a p, D a p,p, -iC{ biC }D(,p, ^D c C {biC }D b p, ^D b p}; 

6. {9, ^C {ajb} D a p, ^D a C {ajb} D a p, ~D a p,p, ->C {btC} 'D b p, ^D b p}; 

7. {6>, ^C {ajb} D a p, ^D a C {ajb} D a p, ^D a p, C {bjC} D b p ,p}; 

8. {9, ^C {ajb} D a p, ^D a C {ajb} D a p, ^D a p, ^C {bjC} D b p, ^D b C {b , c} Df,p, D b p, p}; 

9. {9, ^C{ ajb }D a p, ^D a C{ ajb }D a p, ^D a p, ^C{ bjC }D b p, ^D b C{ bjC }Df,p, ^D b p}; 

10. {9, ^C{ ajb }D a p, ^D a C{ aib }D a p, ^D a p, ^C {bjC }D b p, ^D c C {bjC }D b p, D b p,p}; 

11. {9, ^C {ajb} D a p, ^D a C {ajb} D a p, ^D a p, ^C {bjC} D b p, ^D c C {bjC} D b p, ^D b p}; 

12. {9, ^C {ajb} D a p, ^D a C {ajb} D a p, ^D a p, ^C {bjC} D b p, ^D b p}; 

13. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, D a p,p, C {biC} Dt,p }; 

14. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, D a p,p, ^C {b>c} D b p, ^D b C {b>c} D b p, D b p}; 

15. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, D a p,p, ^C {b>c} D b p, ^D b C {b>c} D b p, ^D b p}; 

16. {9, ^C{ ajb }D a p, ^D b C{ ajb }D a p, D a p,p, ^C {b , c }D b p, -^F> c C{ biC} 'D b p, D b p}; 

17. {9, ^C{ ajb }D a p, ^D b C{ ajb }D a p, D a p,p, ^C {b>c }D b p, -iD c C{j,, c }D(,p, ^D b p}; 

18. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, D a p,p, ^C {b>c} D b p, ^D b p}; 

19. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, ^D a p, C {b , e} D b p ,p}; 

20. {9, ^C {ajb} D a p, ^D b C {ajb} D a p, ^D a p, -iC {6iC} D 6 p, -iD 6 C {6iC} D 6 p, D b p,p}; 

21. {9, ^C {ajb} D a p, -iD b C {aib} D a p, -~T) a p, -iC {( , iC }D b p, ->T) b C {biC} T) b p, ^D b p}; 

22. {9, ^C {ajb} D a p, ^D b C {aib} D a p, -~T) a p, -^C{ b ^T> b p, ^D c C {bjC} D b p, D b p,p}; 

23. {9, ^C{ ajb }D a p, ^D b C{ ajb }D a p, ^D a p, -iC{ btC }T) b p, ^D c C{ b>c }D b p, ^D b p}; 

24. {9, ^C {ajb }D a p, ^D b C {aib} D a p, -~T) a p, -iC{(,, c }Di,p, ^D b p}; 

25. {9, ^C {a , b} D a p, ^D a p, C {biC} D b p,p}; 



29 



26. {9, ^C {a , 6 }D a p, ^D Q p, -iC{ 6]C }D 6 p, ^D b C {t ,, c }D(,p, Dtp, p}; 

27. {0, ^C {aib} D a p, ^D a p, ^C {f , iC} D(,p, -.D&C^^Dbp, ^D 6 p}; 

28. {9, ^C {a , ft} D a p, ^D a p, ^C {( ,, c} D(,p, ^D c C {M} Di,p, D 6 p,p}; 

29. {0, ^C {aib} D a p, ^D a p, ^C {f , iC} D 6 p, ^D c C {bjC} D 6 p, ^D(,p}; 

30. {9, ^C{ a , 6 }D a p, ^D a p, ^C{i, iC }D 6 p, ^D b p}; 

31. {9, C {aii)} D a p,p, ^C^.cjDtp, ^D b C {f ,, c} D(,p, D;,p}; 

32. {9, C {aii ,}D a p,p, -iC{i, iC }D6p,-iD6C{5 iC }Dbp,-iD6p}; 

33. {6>, C {a;b} D a p ,p, ^C {i , iC} D 6 p, ^D c C {bjC} D 6 p, D b p}; 

34. {9, C {aih} D a p ,p, ^C {b , c} D 6 p, ^D c C {bjC} D 6 p, ^D b p}; 

35. {0, C {a ^ } D a p ,p, ^C {hie} D;,p. ^Dfcp}; 

If we instead use the restricted \C\ | and jC^l we will produce 8 states: 

1. {9, ^C {a , 6} D a p, ^D Q C {ai6} D a p, D a p,p} 

2. {9, ^C {aib} D a p, ^D a C {aji , } D a p, ^D a p} 

3. {9, -iC {a]i)} D a p,-iDi,C {a]i , } D a p} 

4. {0,^C {a , b} D a p,^D a p} 

5. {0, ^C{(, >c }Dt,p, ^D 6 C{(, >c }D 6 p, D 6 p,p} 

6. {9, -^C {biC} D b p, -iD b C {f , iC }Di,p, ^D(,p} 

7. {0,-iC{ fejC }D6p,-.D c C{(, lC }D6p} 

8. {6>,^C {6 , c} Dt,p,^D 6 p} 

Figure [5] shows the pretableau for one part of 6, i.e. ^C{ a fc }D a p. The tableau 
for the other part of 9 will be similar and disjoint from this tableau. 

As seen here, the backtracking procedure is rather inefficient when applied 
to formulae of the type of C{ a ^T) a p — > -^G^^HbP- n 



Both causes of potential inefficiencies discussed above, viz. the forward diamond- 
propagation and the (restricted) analytic cut rules on box-formulae, are needed 
to ensure that every "successful" tableau can be turned into a Hintikka struc- 
ture. More precisely, they together ensure that the right-to-left implication in 
the statement of property (CH3) of Hintikka structures (recall Definition 10 1 
holds. 

A possible way of eliminating these causes for inefficiencies is to change the 
strategy in the tableau-building, by implementing a mechanism for backward 
propagation of boxes: if Ti^Lp occurs in a state A, then ensure that this box is 
propagated backwards to all predecessor states where it must occur. The main 
disadvantage of this approach is that it requires an elaborated mechanism of 
repeated updating the hitherto constructed part of the tableau. We leave the 
realization of this idea for future work. 



6.3 Improvements 

As stated earlier, the main emphasize of our tableau construction is the ease of 
presentation, comprehension and implementation, rather than technical sophis- 
tication and optimality of the procedure. While being worst-case time optimal, 
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X = -D a p, Xa = -,D a C {ab} D a p, Xb = -D 6 C {al) D„p 




{a, 6} 



D a p} 



(^ C {«,4} D «f' nD » C {«.ll D «P^ D «P'P) 
{^p, D a ^C {a b }D a p} 

{^ C {a,6} D "P' - D »Pl 

{^p, D a ^C {o b} D a p, ^D a C {a b} D a p} 

{^P> ^ C {a,b} D "P- - D «f) 

{^P> ^ C {a,b} D oP- " D l C {a,l) D «fl 



= {-P, 



D a p, ^D a C 



{a, 6} 



D a p, -nD a p} 



= ^ C {a,i>} D "P' D oP,P, ^ D 6 C { a ,b} D oP} 



{ab} 



D a p} 



(" C {a,6) D «I'' ^ D aP> 
{^ C {a,6} D aP. -D b C {Q 6} D a p} 
(^ C {o,i) D «P- -D a C {a 6 jD a p, ^D a p} 



{a, 6} 



{a, 6} 



D a p, D a p , p } 



Fig. 5. Pretableau for ^C{ a 6 }D a p 



it is amenable to various improvements and further optimizations, some of which 
we will mention briefly here. 

To begin with, for methodological reasons, our procedure is divided into 
three phases, where the different components of the tableau-building procedure 
are dealt with separately. That separation of the procedure into phases makes 
it less optimal compared to the approach whereby the three phases are carried 
out simultaneously and the prestate and state elimination is done 'on-the-fly'. 



Also, as briefly mentioned in Section 4.1 it is possible to make the procedure 



cut-free by using a mechanism for 'backwards propagation' of D-formulas, which, 
when well designed can lead to more optimal performance in some cases. This 
approach is taken e.g., in |22j . where the authors construct a cut-free tableau- 
based algorithm for the logic PDL with converse, while the algorithm presented 
in [29] builds on this work by constructing a cut-free tableaux-based algorithm 
for the description logic SHI, which contains inverse roles. Both methods account 
for the case where a (number of) formula(s) turns up in a node, which will be 
required to be in the already created predecessor node of the node in question. 
The former algorithm deals with eventualities, too. Adopting this approach to 
our procedure while optimizing it for the logic CMAEL(CD) would result in 
a procedure sketched below. 
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State elimination 'on-the-fly' Here we make use of the concept of 'potential 
rescuers' used in [53] and [35], though in a slightly different way, adjusted to our 
needs. We likewise take on board the techniques of updating and propagating 
statuses of nodes in the tableaux. 

Firstly, we maintain a status for (pre)states, which can either be unexplored, 
open or closed. The status of a (pre)state is initially set to unexplored when the 
(pre)state is created, and then updated during the procedure. When a prestate is 
expanded or a state expanded for all diamond-formulas in it, its status changes 
to open. Later on the status of a state A can then change to closed in the 
following cases: 

— there is an epistemic prestate F such that A -4 F for a formula S and the 
status of r is closed. 

— A contains an eventuality -^Ca<P that it neither realized in the current 
tableau under construction nor has a "potential rescuer" . A potential rescuer 
is a (pre)state, which is A-reachable from A, contains —iCa<P, and has not 
been expanded yet, i.e. it has status unexplored. Here we use a modified 
definition of A-reachability, where --^-arrows are allowed too. 

The status of a prestate r is set to closed if: 

— all states in states(-T) are closed, including the case where states(T) = 0, 
or 

— r contains an eventuality that it neither realized nor has a potential rescuer. 

Additionally, we make sure, that unsatisfiable (pre)states are removed on-the-fly 
and that the procedure stops and the tableau closes as soon as unsatisfiability 
of the input prestate is detected during the procedure, i.e.: 

— We close a prestate when it is expanded and does not have any cut-saturated 
expansions. 

— When a (pre)state E closes, we propagate updates of statuses to the relevant 
(pre)states, whose status depend on the status of E. These are (pre)states 
that have outgoing arrows pointing to E. 

— We keep an eye on the initial prestate, labelled with the input formula whose 
satisfiability we are checking. When/if this prestate closes, we stop the whole 
procedure and return "unsat" . 

Finally, we also want to avoid the unnecessary checking of unrealized eventual- 
ities, since this step is one of the more expensive checks. Thus, when updating 
the status of a (pre)state we only check containment of unrealized eventualities, 
when this is really necessary. E.g., we do not check that if a potential rescuer is 
known to be reachable. This of course requires some bookkeeping. 

Making the procedure cut-free The procedure above takes care of doing 
the satisfiability checking 'on the fly', however it is not cut-free. Though, the 
procedure can be made cut-free by incorporating the following: 
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Firstly, we use full expansions instead of cut-saturated expansions. Secondly, 
we now need to account for a further reason why a state A can close, namely 

that A contains a diamond formula -iD^y, such that A '—^f r and all states in 
states(-T) are incompatible with A with respect to -iD^yj. Here, A' £ states(P) 



is incompatible with A if {T>A>ip € A' \ A' C A} % A, i.e. condition (CH3) 



will not be fulfilled in the resulting Hintikka structure. This, however, does not 
neccessarily mean, that the state A needs to close. After all, since we are not 
proactively looking ahead for box- formulas which could possibly occur in a 
future descendent state of A and include these in A (as is done when using 
cut-saturated expansions), it is possible that A could become satisfiable if the 
box-formulas in question were added to A. 

Therefore, when it happens that A — 4 V r and none of the states in states {T) 
are compatible with A with respect to —Da^, we construct so-called 'alterna- 
tives' for the state A. These are states labelled with the fully expanded sets AuS' 
for each S' £ [J A , e states(r) T£{{ D A /<0 6 A 1 | A' C A and T> A ^ £ A}). Then 
---►-arrows pointing to these alternatives are added from each prestates pointing 
to A, and finally we close the original state A (and propagate the change of 
status that hereby occurs, as described previously). 

In this procedure, we need to keep track of when such incompatibilities occur, 
which requires some further bookkeeping. 



7 Concluding remarks 



We have developed a sound and complete tableau-based decision procedure for 
the full coalitional multiagent epistemic logic CMAEL(CD). The incremental 
tableau style adopted here is intuitive, practically more efficient, and more flexi- 
ble than the maximal tableau style, developed e.g., for the fragment MAEL(C) 
of CMAEL(CD) in [25], and therefore it is more suitable both for manual and 
automated execution. In fact, an earlier, less optimal version, of this procedure 
has been implemented and reported in |42j . On the other hand, as discussed in 
the previous section, various further optimizations of the procedure are possible 
and desirable, and some such optimizations have been developed for logics re- 



lated to CMAEL(CD), see Section 1.2 Furthermore, our tableau procedure is 



also amenable to various extensions, subject to current and future work: 



— to temporal epistemic logics of linear and branching time, preliminary reports 
on which have appeared respectively in |15j and |16j . 

— with the strategic abilities operators of the Alternating-time temporal logic 
ATL, a tableau-based decision procedure for which were developed in [T7] . 
Merging tableaux for these two logical systems will produce, inter alia, a 
feasible decision procedure for the Alternating- time temporal epistemic logic 
ATEL @D]. 

— a cut-free, 'on the fly' version, as described in Section [6T3[ 
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